Method for Enabling Lawful Interception by Providing Security Information

ABSTRACT

A method and apparatus are provided. Information associated with a lawful interception of communication data of a user equipment is received. Security information associated with the communication data of the user equipment is provided in response to the received information. The security information is based on a first secret which is shared between a communication network provider and the user equipment.

FIELD OF INVENTION

The present application related to lawful interception and in particularbut not exclusively to the lawful interception of data communicatedbetween a user equipment and an application server.

BACKGROUND

A communication system can be seen as a facility that enablescommunications between two or more entities such as a communicationdevice, e.g. mobile stations (MS) or user equipment (UE), and/or othernetwork elements or nodes, e,g. Node B or base transceiver station(BTS), associated with the communication system. A communication systemtypically operates in accordance with a given standard or specificationwhich sets out what the various entities associated with thecommunication system are permitted to do and how that should beachieved.

Wireless communication systems include various cellular or otherwisemobile communication systems using radio frequencies for sending voiceor data between stations, for example between a communication device anda transceiver network element. Examples of wireless communicationsystems may comprise public land mobile network (PLMN), such as globalsystem for mobile communication (GSM), the general packet radio service(GPRS), the universal mobile telecommunications system (UMTS) or WiFi.

A mobile communication network may logically be divided into a radioaccess network (RAN) and a core network (CN). The core network entitiestypically include various control entities and gateways for enablingcommunication via a number of radio access networks and also forinterfacing a single communication system with one or more communicationsystems, such as with other wireless systems, such as a wirelessInternet Protocol (IP) network, and/or fixed line communication systems,such as a public switched telephone network (PSTN). Examples of radioaccess networks may comprise the UMTS terrestrial radio access network(UTRAN) and the GSM/EDGE radio access network (GERAN).

A user equipment or mobile station may be provided with access toapplications supported by the core network via the radio access network,but potentially also via other networks. The core network may providefunctionality to authenticate a user or other support the security ofcommunication between an user equipment and an application. Thisfunctionality may be provided for example by a generic bootstrappingarchitecture.

A requirement of some networks is the provision of lawful interceptioncapabilities. Since communication technology advances, the lawfulinterception becomes also relevant in general service context. IP basedcommunication services e.g. video or voice are also relevant from lawfulinterception perspective. In lawful interception, communication data onthe network is intercepted and provided to a lawful authority. Thelawful authority can analyse the data with regards to any lawful issuesthat may arise.

SUMMARY OF INVENTION

According to a first aspect, there is provided a method comprising:receiving information associated with a lawful interception ofcommunication data of a user equipment; and providing securityinformation associated with the communication data of the user equipmentin response to the received information; wherein the securityinformation is based on a first secret which is shared between acommunication network provider and the user equipment.

The security information may comprise a second secret shared between acredentials server and the user equipment, said second secret beingbased on the first secret. The received information may comprise anidentity of the communication data to be intercepted. The receivedinformation may comprise at least one of: an identity of the userequipment; an identity of an application server; and an identity of atype of communication. The communication data of the user equipment maybe communication data between the user equipment and an applicationserver.

Providing security information may further comprise: generating aninterception related information report comprising the securityinformation; and sending the interception related information report toa lawful interception entity. The second secret may comprise a key forthe encryption of communication between the user equipment and anapplication server. The key may be at least one of: a symmetric key andan application specific key.

According to a second aspect, there may be provided an apparatuscomprising: receiving means for receiving information associated with alawful interception of communication data of a user equipment; andproviding means for providing security information associated with thecommunication data of the user equipment in response to the receivedinformation; wherein the security information is based on a first secretwhich is shared between a communication network provider and the userequipment.

The security information may comprise a second secret shared between acredentials server and the user equipment, said second secret beingbased on the first secret. The received information may comprise anidentity of the communication data to be intercepted.

The received information may comprise at least one of: an identity ofthe user equipment; an identity of an application server; and anidentity of a type of communication. The communication data of the userequipment may be communication data between the user equipment and anapplication server.

The providing means may be further configured to generate aninterception related information report comprising the securityinformation and send the interception related information report to alawful interception entity. The second secret may comprise a key for theencryption of communication between the user equipment and anapplication server. The key may be at least one of: a symmetric key; andan application specific key. The apparatus may be one of a credentialsserver and an application server.

According to a third aspect, there is provided a computer programproduct, comprising program instructions, when executed, performing thesteps of: receiving information associated with a lawful interception ofcommunication data of a user equipment; and providing securityinformation associated with the communication data of the user equipmentin response to the received information; wherein the securityinformation is based on a first secret which is shared between acommunication network provider and the user equipment.

According to a fourth aspect, there is provided a method comprising:sending information associated with a lawful interception ofcommunication data of a user equipment; and receiving securityinformation associated with the communication data of the user equipmentin response to the sent information; wherein the security information isbased on a first secret which is shared between a communication networkprovider and the user equipment.

The security information may comprise a second secret shared between acredentials server and the user equipment, said second secret beingbased on the first secret. The sent information may comprise an identityof the communication data to be intercepted. The communication data ofthe user equipment may be communication data between the user equipmentand an application server.

According to a fifth aspect, there is provided an apparatus comprising:sending means for sending information associated with a lawfulinterception of communication data of a user equipment; and receivingmeans for receiving security information associated with thecommunication data of the user equipment in response to the sentinformation; wherein the security information is based on a first secretwhich is shared between a communication network provider and the userequipment.

The apparatus may be a lawful interception network entity.

According to a sixth aspect, there is provided a computer programproduct, comprising program instructions, when executed, performing thesteps of: sending information associated with a lawful interception ofcommunication data of a user equipment; and receiving securityinformation associated with the communication data of the user equipmentin response to the sent information; wherein the security information isbased on a first secret which is shared between a communication networkprovider and the user equipment.

According to a seventh aspect, there is provided an apparatus comprisingat least one processor and a memory, the processor and the memoryconfigured to: receive information associated with a lawful interceptionof communication data of a user equipment; and provide securityinformation associated with the communication data of the userequipment; wherein the security information is based on a first secretwhich is shared between a communication network provider and the userequipment.

According to an eighth aspect, there is provided an apparatus comprisingat least one processor and a memory, the processor and the memoryconfigured to: send information associated with a lawful interception ofcommunication data of a user equipment; and receive security informationassociated with the communication data of the user equipment; whereinthe security information is based on a first secret which is sharedbetween a communication network provider and the user equipment.

BRIEF DESCRIPTION OF ACCOMPANYING FIGURES

FIG. 1 is a schematic diagram of a network in accordance with a firstembodiment;

FIG. 2 is a flow diagram depicting method steps in accordance with afirst environment;

FIG. 3 is a schematic diagram of a network in accordance with a secondembodiment;

FIG. 4 is a flow diagram depicting method steps in accordance with asecond environment;

FIG. 5 is a schematic diagram of a network in accordance with a thirdembodiment; and

FIG. 6 is a flow diagram depicting method steps in accordance with athird environment;

FIG. 7 is a schematic diagram of a network in accordance with a fourthembodiment; and

FIG. 8 is a flow diagram depicting method steps in accordance with afourth environment;

DESCRIPTION

Communication of data between an user equipment and an applicationserver in a telecommunications network may be encrypted or otherwisesecured in order to prevent unauthorised access to the data. The genericbootstrapping architecture (GBA) is a generic security enabler that mayprovide an application server and an user equipment with such securityassociation. The GBA functionality may provide shared secrets to theuser equipment and application server based on the cellular credentialsof the user equipment and/or application server. The shared secret maybe derived in the GBA credential server (BSF) and in the UE. The sharedsecret may then be used by the user equipment and application server toprotect communications, service security, data, media and/or be used forauthentication or authorisation.

In GBA, a GBA credential server, for example a bootstrapping serverfunction (BSF) may be set up to facilitate authentication of an UE andprovide a shared secret to an application server. The securityassociation is based on cellular credentials or other type of pre-agreedcredentials (like SIP Digest credentials). As the BSF is generic, it maybe used by multiple users for a plurality of communication securityservices. The BSF may authenticate a user by using a valid identity ofthe user registered to a home location register (HLR) or a homesubscriber server (HSS). The BSF may then trigger the establishment of ashared secret in the UE and provide the application server with theshared secret which may be used for securing the communication betweenthe application server and user equipment.

Lawful interception (LI) is the legally authorised process by which alaw enforcement agency may be given access to data communicated on atelecommunications network. The data may be intercepted and provided toa law enforcement agency for analysis or further action. In order forany meaningful analysis of such data to be made, encrypted data shouldbe decrypted for analysis. However secured communication between nodesin a network may be set up so that only the addressed recipient of thedata may decrypt it.

Embodiments of the present application may provide a method for datasecured using the generic bootstrapping architecture to be lawfullyintercepted with the ability to decrypt the data.

FIG. 1 shows an example of a network with lawful interception andgeneric bootstrapping architecture functionality. FIG. 1 only comprisesthose features of a network used in the description of embodiments andit will be appreciated that the network shown in FIG. 1 may comprisefurther components used to provide communication service. For example,while a base station or Node B is not shown in FIG. 1, it will beappreciated that the network may comprise such functionality.

FIG. 1 comprises a user equipment (UE) 101 and a network applicationfunction (NAF) 102. The NAF 102 may be an application server and may beconfigured to communicate with the UE 101 over an interface, for examplea Ua interface. The NAF 102 may provide a service or other data to theUE 101 or a further network node associated with the UE 101. The NAF 102may be a service provided to the UE 101, for example the NAF 102 mayprovide for example, mobile TV, authorisation, single sign on,authentication, credentials for peer-to-peer communications, etc. Itwill be appreciated that only some of these services may be of interestfor lawful interception.

The communication between the UE 101 and NAF 102 may be secured using ashared secret in accordance with the generic bootstrapping architecture(GBA).

In accordance with the GBA, a bootstrapping server function (BSF) 103 isprovided. The BSF 103 may form part of the core network. The BSF 103 maybe able to communicate with the UE 101 over an interface Ub and with theNAF 102 over an interface Zn or Zn′ in some embodiments. The BSF 103 maybe configured to authentication the UE 101 using cellular information,for example information relating to the subscriber identity module (SIM)card or universal integrated circuit card (UICC) of a UE 101. The BSF103 may make use of a home subscriber server (HSS) 104 and/or asubscriber location function (SLF) 105 to authenticate the cellularinformation of the UE 101.

The Generic Bootstrapping Architecture (GBA) is a generic securityenabler that provides an application server and a UE with one or moreshared secrets based on the cellular credentials. This secret can beused to protect communications, data, media or used for authenticationor authorization. Once a GBA credential server is set up for one purposein the operator network, it can be used for many other communicationsecurity services as well (it is a generic security enabler). A exampleof the GBA architecture is defined in the 3GPP TS 33.220.

In the generic bootstrapping architecture, a UE may initiate contactwith a NAF, for example the UE may desire to make use of a serviceprovided by the NAF. In order for secure communication to be carried outbetween the UE and the NAF, a security association between the UE andthe NAF is generated. In order to generate this association, the UEmaybe authenticated with a BSF.

This authentication may make use of information inherent to the UE. Forexample the authentication may take place using an identity of the UEand information such as SIM information. The BSF may have access to thisinformation via a home subscriber server and/or subscriber locationregister network entities.

If the UE is successfully authenticated, the UE and the BSF may generatea key in parallel. It will be appreciated that the key generated by theBSF and the key generated by the UE will be the same as the same data(for example SIM information) is used to generate the key in eachentity. The key may be based on a shared secret. In this example, theshared secret may correspond to SIM information. By using a sharedsecret, a communication of the key need not be carried between the UEand the BSF or the UE and the NAF.

The BSF may then provide the key to the NAF, where it is used forcommunication between the UE and the NAF.

While embodiments of the present application are described in relationto the generic bootstrapping architecture, it will be appreciated thatother shared secret security systems may be used. For example suchsystems may provide a first shared secret between a user equipment and acommunications network provider. This first shared secret may be forexample SIM information. A credentials server may then facilitate theauthentication of a user equipment based on this first shared secret.The credentials sever and UE may use the first shared secret to generatea second shared secret. This second secret may be for example asymmetric key and may be used by the UE and a NAF to encryptcommunication between the UE and the NAF. It will be appreciated thatthe credentials server and the UE may generate the second shared secretin parallel based on the first shared secret. The security informationfor the encryption of communication between the UE and the NAF maytherefore be based on the first shared secret.

The network of FIG. 1 may further be provided with lawful interceptioncapabilities. In FIG. 1 a law enforcement monitoring facility (LEMF) 106may be provided. The LEMF 106 may monitor and store lawfully intercepteddata in some embodiments. In some embodiments, the LEMF 106 may receivesecurity information associated with lawful interception and use thesecurity information to decrypt lawfully intercepted data or provide thesecurity information to a further server or entity.

The LEMF 106 may send and receive data to and from a first networkentity 107 which may carry out administrative or control functions withrespect to lawful interception and a second network entity 108 which mayprovide the delivery of lawfully intercepted content. In someembodiments, the LEMF 106 may communicate with the first entity 107 viaa first handover interface HI1 and with the second entity 108 via asecond handover interface HI2.

In operation, the LEMF 106 may indicate an identity of a service and/oruser to be monitored to the first network entity 107. The first networkentity 106 may use this indicated information to instruct a furthernetwork entity to intercept data relating to the identified serviceand/or user and provide it to the LEMF 106. In some embodiments thisindication takes the form of identifying a trigger in response to whichdata should be intercepted.

The second network entity 108 may receive intercepted data in responseto the trigger and deliver the intercepted data to the LEMF 106. It willbe appreciated that while the first and second network entities havebeen describes as separate entities, they may be co-located or form partof a single network entity in some embodiments.

It will be appreciated that while FIG. 1 has been described as anetwork, not all the entities in FIG. 1 may be within a single networkdomain. For example, the NAF 102 may be external to a network of the UE101. Additionally, the law enforcement monitoring facility may beexternal to the network in some embodiments.

In some embodiments, the LEMF 106 may lawfully intercept data byindicating to network entities involved in communication whichinformation is to be intercepted. For example, the LEMF 106 may providea user identifier and optionally a service identity for whichcommunication is to be intercepted. In some embodiments, data may beintercepted on the Ua interface. The Ua interface may run over cellular,but may also run over fixed or other type of networks. In someembodiments, data may be intercepted by node in the network such as agateway GPRS support node (GGSN) and serving GPRS support node (SGSN)for example. For example the first network entity 107 may provide andidentity of data to be intercepted to the GGSN and/or SSGN and thesenodes may provide intercepted data to the second network entity 108.

If the intercepted data from a network node (for example a GGSN and/orSSGN) is secured in accordance with the generic bootstrappingarchitecture however, the LEMF 106 will not be able to decrypt theintercepted data. FIG. 1 shows an example where the LEMF 106 may accesssecurity information from the BSF 103 in order to decrypt intercepteddata.

In the embodiment of FIG. 1, the first network entity 107 maycommunicate with the BSF 103 via and X1_1 interface. The first networkentity 107 may provide trigger information to the BSF 103. In someembodiments this trigger information may identify which data orinformation is of interest for lawful interception. The information mayidentify a service and/or user identity. The information communicatedfrom the first network entity 107 may be configured to trigger thereporting of security information from the BSF 103 associated with theidentified service and/or user identity for data will be lawfullyintercepted.

For example, triggering information from the first network entity 107containing an identity of a user may trigger the reporting of one ormore cryptographic keys and related information e.g. key lifetime, keyidentifier, service the key relates to associated with the identifieduser.

The triggering information may comprise one or more of an identity of auser, identity of a service or NAF 102 and/or the type of event totrigger the reporting.

The user identity in the triggering information may be for example aninternational mobile subscriber identity (IMSI) or Mobile SubscriberIntegrated Services Digital Network-Number (MSISDN) of the user. In someembodiments, the BSF 103 may map the user identity received in thetriggering information to a HSS or SLF to identify the user.

For example, the reporting of cryptographic information may be triggeredwhen a user accesses the BSF 103 to generate an application specific keyKs_(ext/int)_NAF. The key may be application specific in that it isgenerated for communication between the user and a specified NAF 102.When this key generation occurs, the BSF 103 may be triggered to reportsecurity information to the LEMF 106. It will be appreciated that thisis by way of example only and reporting may alternatively oradditionally be triggered in response to any modification, generation ormanagement of the key or security information. For example, reportingmay be triggered when an NAF 102 request a GBA key from the BSF. Theresultant IRI may include and identity of the NAF 102 communicating withthe UE 101. In this case the LEMF 106 may be made aware of which servicea user is communicating with. In some cases, where the NAF 102 isexternal to the network, the LEMF 106 may not have access to thisinformation otherwise.

In some embodiments, the reporting may comprise the generation of alawful interception intercept related information (IRI). This may be forexample the encrypted related parameters and information related to theencryption of content between the UE 101 and NAF 102. In someembodiments, the IRI may comprise information to enable the LEMF 106 orassociated entity to decrypt the intercepted encrypted data.

The BSF 103 may filter the information in the IRI before sending it. Forexample, the BSF may filter whether the LEMF 106 requires all GBA keysassociated with a user or just the keys associated with a specific NAF102. The triggering information received by the BSF 103 from the LEMF106 may have identified which service types are of interest. In otherwords, the list of services for which an IRI is triggered may bepre-configured in the BSF 103. This list might be country dependent. Inother embodiments, the LEMF 106 may require all keys associated with auser to be included in the IRI.

In some embodiments, a GBA key may have already been generated for auser by the time triggering information is received from the firstnetwork entity 107. In this case, the reporting of IRI may beimmediately triggered to provide the key being used by the user. In someembodiments, the BSF 103 does not store all parameters associated with auser key. However, the BSF may re-generate the user's key based on amaster key from which all application specific keys are derived.

The IRI may be provided to the second network entity 108. In someembodiments, the IRI may be provided via an X2 interface between the BSF103 and the second network entity 108. This second network entity 105and X2 interface may provide a intercept related information deliverypath to the LEMF 106. The second network entity 108 may then provide theIRI to the LEMF 106.

FIG. 2 shows an example of a flow diagram of the method steps carriedout in some embodiments.

At step 201, the BSF 103 may receive triggering information from theLEMF 106. This triggering information may be received from a firstnetwork entity 107 associated with the LEMF 106 over an X1_1 interface.The triggering information may contain for example at least one of anidentity of a user, an identity of one or more services and a type oftrigger event.

At step 202 the BSF 103 determines whether intercept related information(IRI) should be generated. If it is determined that an IRI should begenerated, for example, an identified user has already been generated akey and/or a request for key generation or management has been receivedfrom a user and/or NAF 102, the method proceeds to 203. At step 203, thegenerated IRI is sent.

If it is determined that an IRI should not be generated, for example ifthe triggering conditions are not met, the BSF 103 continues to monitorrequests from the UE 101 and NAF 102 until the triggering conditions aresatisfied and an IRI is generated.

FIGS. 1 and 2 show embodiments relating to the provision of securityinformation from a BSF 103 of a generic bootstrapping architecture to alawful interception entity. It will be appreciated that in someembodiments, security information may be in addition provided by the NAF102 to the LEMF 106. In these embodiments, interfaces may be providedbetween the NAF 102 and the first and second network entities 107 and108.

The above has described the lawful interception of security informationsuch as key information by the LEMF 106. It will be appreciated that thelawful interception of content of the communication also takes place.For example, while the security information is lawfully intercepted fromthe BSF 103 and, in some embodiments, the NAF 102, content of thecommunication between the UE 101 and NAF 102 is also intercepted.

In some embodiments this interception may take place on the Ua interfacebetween the UE 101 and NAF 102. For example, communication may beintercepted by GGSN and/or and SSGN and provided to the LEMF 106 via thesecond network entity 108. In other embodiments, the NAF 102 may carryout the lawful interception of data between the UE 101 and NAF 102.

FIGS. 4 to 6 show examples of the NAF 102 carrying out interception ofthe data.

In a further embodiment, triggering information may be provided from thefirst lawful interception network entity to the NAF in addition toproviding this triggering information to the BSF. The triggeringinformation may indicate to the NAF which security information is to bereported. Additionally or alternatively, the triggering information mayindicate which information is to be intercepted. The data of thecommunication between a UE and NAF may be intercepted at the NAF and theNAF may generate IRI reports for the lawful interception entities. Inthis case, the data communication need not be intercepted on the Uainterface however it will be appreciated that in some embodiments,interception may be carried out on the Ua interface (for example via aSSGN/GGSN) as well as at the NAF.

FIG. 3 shows an example of a network in which the NAF is configured toreport security information and/or data communication to a lawfulinterception entity. It will be appreciated that the network of FIG. 3may be similar to that of FIG. 1 and that like numerals have been usedto describe like.

The network of FIG. 3 comprises a UE 101, NAF 102, BSF 103, SLF 105 andHSS 104. Additionally the network comprises a LEMF 106, a first lawfulinterception (LI) network entity 107, a second LI network entity 108 anda third LI network entity 301.

The first LI network entity 107 may be configured to provide LI controlinformation to other entities of the network. The control informationmay include to information relating to when a lawful interception reportis to be generated, an identity of user for which information is to beintercepted, an identity of a service and/or a type of information to beintercepted.

The second LI entity 108 may be configured to receive securityinformation relating to the communication between the UE 101 and the NAF102 to be intercepted. The second LI entity may further provide thisinformation to the LEMF 106. This information may be for example in theform of an LI IRI and include information such as keys, securityparameters and/or other information that may allow the LEMF 106 orassociated entity to decrypt intercepted communication.

The third LI entity 301 may be configured to receive interceptedcommunications, for example intercepted communication between the UE 101and NAF 102. Third LI entity 301 may information such as the interceptedcommunication via an X3 interface. The third LI entity 301 may befurther configured to provide the intercepted communication to the LEMF106.

In the embodiment of FIG. 3, in addition to providing triggeringinformation to the BSF 103, the first LI network entity 107 may providetriggering information to the NAF 102. The NAF 102 may be an applicationserver with which a user is communicating, for example, the UE 101 maybe communicating with the NAF 102 via the interface Us. The NAF 102 mayidentify which security information and which data communication is ofinterest to the LEMF 106 based on the triggering information. Forexample, the NAF 102 may use an identity of the user or type ofcommunication to identify and provide a key or other securityinformation associated with that user to the LEMF 106. This informationmay be provided to the second LI network entity 108.

The NAF 102 may also identify the data communication between the NAF 102and the UE 101. The NAF 102 may then intercept the identified datacommunication and provide it to the third LI network entity 301. Theintercepted data communication may be provided over an X3 interface.

In the embodiments of FIG. 3, both the BSF 103 and the NAF 102 mayprovide security information to the LEMF 106. The BSF 103 and NAF 102may both be in communication with the first LI network entity 107 toreceive trigger information and may both be in communication with thesecond LI network entity 108 to provide the security information. TheNAF 102 may further be configured to intercept data communication and bein communication with the third LI network entity 301 to provide theintercepted data communication.

FIG. 4 shows an example of the method step that may be carried out inaccordance with this embodiment.

At step 401, trigger information is received. This information may bereceived from the first LI network entity 107. It will be appreciatedthat both the BSF 103 and the NAF 102 may receive this information.

At step 402, one or more IRI reports are generated. The reports mayinclude security information identified by the trigger informationreceived at step 401. The reports may be generated by both the BSF 103and NAF 102. In some embodiments however, the trigger information mayidentify the type of security information to be sent and it may bedetermined which of the BSF 103 and/or NAF 102 is to generate the IRIreport. The one or more IRI reports may be sent to the second LI networkentity 108. The reports may be sent for example over the X2 interfacesbetween the second LI network entity 108 and the BSF 103 and NAF 102.

At step 403 a further IRI report containing information relating tointercepted data may be generated. The NAF 102 may interceptcommunication data based on the trigger information. The NAF 102 maygenerate an IRI report corresponding to this intercepted information andmay send the IRI report to the third LI network entity 301. It will beappreciated that step 403 may be carried out whenever the UE 101 and NAF102 communicate data identified by the trigger information. For example,in some embodiments, all communication data may be intercepted betweenthe UE 101 and NAF 102 and one or more IRI reports may be generated forthis intercepted data.

In the embodiment shown in FIG. 3 both the BSF 103 and the NAF 102 maybe provided with LI trigger information and related activation data. TheBSF 103 may provide an LI event report about the GBA key generation andkey usage events, The NAF may also provide an LI event report about GBAkey usage and related application parameters. In some embodiments, theBSF 103 and NAF 102 may be in the same operator domain. In embodimentswhere the BSF 103 and the NAF 102 are in separate networks and lawfulinterception is activated in both networks, then the GBA protectedcommunication content can be decrypted with less effort as the GBA keysare provided also from the NAF along with the intercepted content.

FIG. 5 shows a further embodiment of a network. In FIG. 5, the NAF 102may receive trigger information and generate an IRI report correspondingto security information as well as an IRI report corresponding tointercepted data. However, instead of receiving the trigger informationdirectly from the first LI network entity 107, the NAF may receive thetrigger information from the BSF 103.

The network of FIG. 5 comprises UE 101, NAF 102, BSF 103, HSS 104 andSLF 105. The network further comprises LEMF 106, first LI network entity107, second LI network entity 108 and third LI network entity 301. Itwill be appreciated that these entities may be similar to the likenumbered entities in the foregoing.

In the embodiment of FIG. 5, the BSF 103 may receive trigger informationfrom the first LI network entity 107 and provide IRI reportcorresponding to security information to the second LI network entity108. The NAF 102 may receive trigger information and provide an IRIreport corresponding to security information to the second LI networkentity. The NAF 102 may further intercept communication data andgenerate and send an IRI report corresponding to intercepted informationto the third LI network entity 301.

In the embodiments of FIG. 5, the BSF 103 receives trigger informationfrom the first LI network entity 107 and then provides informationcorresponding to the trigger information to the NAF 102. This may beprovided via an interface between the BSF 103 and the NAF 102. Thisinterface may be for example an Xgba interface.

FIG. 6 shows and example of the method steps carried out in accordancewith this embodiment.

At step 601 trigger information is received by the BSF 103. The triggerinformation may be received from the first LI network entity 107 via theX1_1 interface. The BSF 103 may determine to which service the triggerinformation refers. At step 702 the BSF may provide information relatingto the trigger information to the NAF 102. The information provided tothe NAF 102 may be similar to the trigger information received by theBSF 103 in some embodiments. In other embodiments, the BSF 103 maygenerate a new message including relevant trigger information for theNAF 102.

At step 603, one or more IRI reports may be generated including securityinformation. The one or more IRI reports may be generated by the BSF 103and the NAF 102 and may be provided to the second LI network entity viaan X2 interface.

At step 604, the NAF 102 may intercept the relevant data communicationbetween the UE 101 and the NAF 102 and generate an IRI reportcorresponding to the generated information.

It will be appreciated that while the NAF 102 has been described asgenerating both an IRI report containing security information and an IRIreport for the intercepted data, in some embodiments, the NAF 102 may beconfigured to generate only IRI reports for the intercepted data and theLEMF 106 may require the security information from the BSF 103 only.

The embodiments described in relation to FIGS. 5 and 6 introduce aninterface between the BSF 103 and the NAF 102 to trigger interception inNAF 102 based on the trigger information. This Xgba interface maytrigger the interception in the NAF 102 after GBA keys are requestedfrom the BSF 103. In this embodiment, there may be no need forpreliminary lawful interference activation in the NAF 102.

FIGS. 7 and 8 show a further embodiment of a network where triggeringinformation is provided to the NAF 102 instead of the BSF 103. In thiscase, the NAF 102 may prompt the second LI network entity 108 to requestsecurity information from the BSF 103.

The network of FIG. 7 comprises UE 101, NAF 102, BSF 103, HSS 104 andSLF 105. The network further comprises LEMF 106, first LI network entity107, second LI network entity 108 and third LI network entity 301. Itwill be appreciated that these entities may be similar to the likenumbered entities in the foregoing.

The NAF 102 may receive trigger information from the first LI networkentity 107. This may be via an X1 ₁₃ 1 interface between the first LInetwork entity 107 and the NAF 102. Similarly to the above embodiments,the NAF 102 may provide and IRI report relating to security informationto the second LI network entity 108, for example via an X2 interfacebetween the NAF 102 and the second LI network entity 108. The NAF 102may also generate and IRI report relating to intercepted information andsend it to the third LI network entity 301.

In response to the IRI report or other indication from the NAF 102, thesecond LI network entity 108 may trigger the generation of an IRI reportin the BSF 103 by sending the BSF a request or trigger information overan interface between the BSF 103 and the second LI network entity 108.The BSF 103 may generate and send an IRI report corresponding to thesecurity information.

FIG. 8 shows the method steps that may be carried out in accordance withthis embodiment.

At step 801, the NAF 102 may receive trigger information from the firstLI network entity 107. The NAF 102 may generate an IRI report inresponse to the receipt of the trigger information and send the IRIreport to the second LI network entity 108 at step 802.

In some embodiments, the IRI report may include security informationfrom the NAF 102. In other embodiments, the report may compriseinformation to prompt the second LI network entity 108 to requestsecurity information from the BSF 103. An IRI report from the NAF 102containing security information may act as a prompt for the BSF 103 torequest security information from the BSF 103.

At step 803, the second LI network entity 803 requests securityinformation from the BSF 103. The request may be in the form of triggerinformation identifying for example the UE 101 and/or service for whichthe security information is requested. The request may be made via theXgba interface between the BSF 103 and the second LI network entity 108.

In response to the request from the second LI network entity 108, theBSF 103 may generate an IRI report including the requested informationat step 804.

At step 805, the NAF 102 may intercept data communication between the UE101 and the NAF 102 and generate an IRI report corresponding to theintercepted information.

In embodiments, lawful interception may be directly activated in the NAF102 from the first LI network entity. In one embodiment, the NAF 102 mayrequests GBA keys for the communication from the BSF 103 and thenprovide these keys along with application specific details to the secondLI network entity 108 in response to the trigger information. The secondLI network entity may then deliver the encryption parameters to theintercepting law enforcement agency, for example via the LEMF 106. TheNAF 102 may also intercept the communication if that is under control ofNAF.

Alternatively to the NAF 102 providing the security information, the NAF102 may provide the trigger information to the second LI network entity102 and based on that information the second LI network entity may querythe BSF 103 about the NAF specific security information. In thisembodiment, and interface between the second LI network entity 108 andthe BSF 103 is provided. In this embodiment, the NAF 102 and BSF 103 maybe in the same network operator domain.

While the NAF 102 and the BSF 103 have been both describes as generatingIRI reports relating to security information, it will be appreciatedthat in some embodiments the content of these reports may differ. Forexample the BSF 103 may provide security keys used in the communicationbetween a UE 101 and NAF 102, while the NAF 102 may provide applicationspecific data pertaining to the application which the NAF 102 provides.In some embodiments, it will be determined whether it is necessary forboth the NAF 102 and the BSF 103 to provide security information. Insome embodiments, only one of these entities will provide the securityinformation.

While, in the foregoing, the first, second and third LI network entitieshave been described as separate network entities, it will be appreciatedthat they may form different functions of a single network entity insome embodiments. It will further be appreciated that the first, secondand third network entities may further be provided as part of anexisting network entity. It is also noted herein that while the abovedescribes exemplifying embodiments, there are several variations andmodifications which may be made to the disclosed solution withoutdeparting from the scope of the present invention.

In general, the various embodiments may be implemented in hardware orspecial purpose circuits, software, logic or any combination thereof.Some aspects of the embodiments may be implemented in hardware, whileother aspects may be implemented in firmware or software which may beexecuted by a controller, microprocessor or other computing device,although the invention is not limited thereto. While various aspects ofthe invention may be illustrated and described as block diagrams, flowcharts, or using some other pictorial representation, it is wellunderstood that these blocks, apparatus, systems, techniques or methodsdescribed herein may be implemented in, as non-limiting examples,hardware, software, firmware, special purpose circuits or logic, generalpurpose hardware or controller or other computing devices, or somecombination thereof.

Some embodiments may be implemented by computer software executable by adata processor of the mobile device, such as in the processor entity, orby hardware, or by a combination of software and hardware.

Further in this regard it should be noted that any blocks of the logicflow as in the Figures may represent program steps, or interconnectedlogic circuits, blocks and functions, or a combination of program stepsand logic circuits, blocks and functions. The software may be stored onsuch physical media as memory chips, or memory blocks implemented withinthe processor, magnetic media such as hard disk or floppy disks, andoptical media such as for example DVD and the data variants thereof, CD.

The memory may be of any type suitable to the local technicalenvironment and may be implemented using any suitable data storagetechnology, such as semiconductor-based memory devices, magnetic memorydevices and systems, optical memory devices and systems, fixed memoryand removable memory.

Furthermore while some embodiments may have been described with entitiesassociated with specific network implementation, for example inaccordance with a 3G 3PP network, it will be appreciated thatembodiments may be implemented in other networks and by network entitiesnot restricted by a specific network implementation.

The foregoing description has provided by way of exemplary andnon-limiting examples a full and informative description of theexemplary embodiment of this invention. However, various modificationsand adaptations may become apparent to those skilled in the relevantarts in view of the foregoing description, when read in conjunction withthe accompanying drawings and the appended claims. However, all such andsimilar modifications of the teachings of this invention will still fallwithin the scope of this invention as defined in the appended claims.Indeed, there is a further embodiment comprising a combination of one ormore of any of the other embodiments previously discussed.

1-25. (canceled)
 26. A method comprising: receiving informationassociated with a lawful interception of communication data of a userequipment; and providing security information associated with thecommunication data of the user equipment in response to the receivedinformation; wherein the security information is based on a first secretwhich is shared between a communication network provider and the userequipment.
 27. The method of claim 26 wherein the security informationcomprises a second secret shared between a credentials server and theuser equipment, said second secret being based on the first secret. 28.The method of claim 27 wherein the second secret comprises a key for theencryption of communication between the user equipment and anapplication server.
 29. The method of claim 28 wherein the key is atleast one of: a symmetric key and an application specific key.
 30. Themethod of claim 26 wherein the received information comprises anidentity of the communication data to be intercepted.
 31. The method ofclaim 26 wherein the received information comprises at least one of: anidentity of the user equipment; an identity of an application server;and an identity of a type of communication.
 32. The method of claim 26wherein the communication data of the user equipment is communicationdata between the user equipment and an application server.
 33. Themethod of claim 26 wherein providing security information comprises:generating an interception related information report comprising thesecurity information; and sending the interception related informationreport to a lawful interception entity.
 34. An apparatus comprising atleast one processor and a memory, the processor and the memoryconfigured to cause the apparatus to at least: receive informationassociated with a lawful interception of communication data of a userequipment; and provide security information associated with thecommunication data of the user equipment in response to the receivedinformation; wherein the security information is based on a first secretwhich is shared between a communication network provider and the userequipment.
 35. The apparatus of claim 34 wherein the securityinformation comprises a second secret shared between a credentialsserver and the user equipment, said second secret being based on thefirst secret.
 36. The apparatus of claim 35 wherein the second secretcomprises a key for the encryption of communication between the userequipment and an application server.
 37. The apparatus of claim 36wherein the key is at least one of: a symmetric key; and an applicationspecific key.
 38. The apparatus of claim 34 wherein the receivedinformation comprises an identity of the communication data to beintercepted.
 39. The apparatus of claim 34 wherein the receivedinformation comprises at least one of: an identity of the userequipment; an identity of an application server; and an identity of atype of communication.
 40. The apparatus of claim 34 wherein thecommunication data of the user equipment is communication data betweenthe user equipment and an application server.
 41. The apparatus of claim34 wherein providing security information comprises: generating aninterception related information report comprising the securityinformation and sending the interception related information report to alawful interception entity.
 42. A non-transitory computer-readablestorage medium including program code which when executed by at leastone processor causes operations comprising: receiving informationassociated with a lawful interception of communication data of a userequipment; and providing security information associated with thecommunication data of the user equipment in response to the receivedinformation; wherein the security information is based on a first secretwhich is shared between a communication network provider and the userequipment.
 43. The non-transitory computer-readable storage medium ofclaim 42, wherein the security information comprises a second secretshared between a credentials server and the user equipment, said secondsecret being based on the first secret.
 44. The non-transitorycomputer-readable storage medium of claim 43, wherein the second secretcomprises a key for the encryption of communication between the userequipment and an application server.
 45. The non-transitorycomputer-readable storage medium of claim 42, wherein the key is atleast one of: a symmetric key; and an application specific key.